This post is also available in:
עברית (Hebrew)
A major security alert has been issued for Google Chrome users following the discovery of a critical zero-day vulnerability currently being exploited by attackers. The flaw, which affects Chrome’s JavaScript engine (V8), allows malicious actors to hijack users’ systems simply by luring them to specially crafted websites—no downloads or clicks required.
According to NIST, At the core of the issue is an “out-of-bounds read and write” bug. This type of vulnerability enables attackers to access and manipulate areas of computer memory that are normally protected. By doing so, malicious code can be injected directly into system memory, potentially leading to data theft, surveillance, or full system compromise.
The flaw is already being actively abused. That means attackers are using methods to exploit it before users have a chance to update their software—making this a true zero-day threat. The vulnerability has been rated as “high severity,” scoring 8.8 out of 10 on the industry-standard CVSS scale.
What makes this exploit especially dangerous is its delivery method. A user only needs to visit a compromised or malicious website—no downloads, pop-ups, or permissions required. Once the site is opened, the attack code executes in the background, bypassing most traditional security defenses.
To mitigate the risk, users are strongly advised to update their browsers immediately. Google has released a patch in Chrome version 137.0.7151.68 for Windows and macOS.
Importantly, this issue doesn’t only affect Chrome. Any browser based on Chromium—such as Microsoft Edge, Brave, or Opera—also relies on the V8 engine and may be vulnerable.
This incident highlights how quickly security threats can emerge and be weaponized. With attackers already taking advantage of the flaw, delaying updates significantly increases the risk of compromise. Users and organizations alike should act without hesitation—keeping software up to date is no longer optional, but essential for staying protected.
